Brussels, 25 May 2023
A resilient, secure and innovative cybersecurity framework that works for all
Brussels, 25 May 2023 – Small Business Standards (SBS) welcomes the European Commission’s proposal for a Cyber Resilience Act (CRA) presented in September 2022. SBS sees the proposal as a necessary step to strengthen the security of connected devices and services in the European Single Market fostering cybersecurity across the supply chain. However, in the context of the European Parliament Committee on Industry, Research and Energy discussions on the draft report of Mr Nicola Danti MEP, SBS calls for the proper consideration of the needs and concerns of SMEs.
On 22 May, SBS released a position paper expressing its support for the Commission’s proposal. SBS however also stresses the additional costs generated by new mandatory requirements for SMEs. If voluntary cybersecurity certification cannot be deemed an option for SMEs, SBS calls for proportionality as well as increased guidance and resources for SME implementation of the new requirements to ensure lower compliance costs.
Moreover, the paper asks to give due consideration to the impact upon smaller companies of standards used in conjunction with the CRA requirements, alongside other practical supporting measures.
SBS suggests the establishment of regulatory sandboxes allowing SMEs to benefit from suitable testing environments before going to market. Clarifications are needed on other points of the proposal for a better implementation by the SMEs – notably on risk assessment requirements and obligations along the supply chain. Finally, to avoid planned obsolescence, SBS proposes that manufacturers of critical products provide security updates for the entire life cycle of their products, or for a period of five years, whichever is longer.
SBS Secretary General Maitane Olabarria commented: “We support the Commission’s intention to set a coherent cybersecurity framework for more secure hardware and software products in the EU. But it is important not to leave anyone behind. SMEs, together with other industry stakeholders, regulators and standardisers, should be included in all stages of the development and implementation of the requirements to ensure we have an ecosystem that benefits all parties involved.”
Read the full position paper here.